Balancing Privacy and Free Expression in the ‘Right To Be Forgotten’

Today, CDT is releasing a paper analyzing the free expression implications of the proposed “Right to Be Forgotten” in the draft European Data Protection Regulation (DPR). The Right to Be Forgotten concept has received much attention since the DPR was first introduced, and while we understand the concerns that motivate the proposal, CDT continues to have serious misgivings about the DPR’s approach to the concept. As described in Article 17, the Right to Be Forgotten would put private companies in the position of balancing users’ free expression and privacy rights – a difficult task that has traditionally been the purview of courts and legislatures, and one that companies are not equipped to undertake. Further, the DPR puts a heavy thumb on the scale on the side of privacy, promising high fines if companies violate the regulation, but providing only narrowly scoped safeguards for journalistic and artistic expression.

The proposed Article 17 allows any user to request that an online service provider delete all of the data about her that the service provider possesses. If that information has been made publicly available, data controllers are required to notify third parties that link to, or have copies of, the data about the deletion request. This broad conception of the Right to Be Forgotten fails to adequately consider the free expression concerns inherent in a right to remove true, lawfully published information from the public record. Quoting and commentary are integral to free expression; yet Article 17 could chill such expression, since a deletion request would extend to third-party references to data that an individual requests deletion of. Article 80 requires Member States to make a limited accommodation for free expression, but that provision falls short of standards required by international human rights instruments. If adopted, the “Right to Be Forgotten” proposal would generate a variety of regulations to protect free expression throughout Member States, creating a lack of clarity for both individuals and data processors regarding what standards apply to a deletion request and what balance must be struck between privacy and free expression.

Since its proposal, several modifications and amendments to the DPR have been proposed. Notably, European Parliament Rapporteur Jan Albrecht has proposed in a draft report several amendments relating to Article 17 that address some of our concerns. For example, the Albrecht Report would amend Article 80 to require Member States to adopt legislation that protects free expression in accordance with the Charter of Fundamental Rights for the European Union and the European Convention on Human Rights. It would also limit controllers’ obligations to take “all necessary steps to have the data erased” from third parties’ services only to cases where the controller had illegally published the data. This is an important narrowing from the original draft, but one that still leaves the unworkably broad “all necessary steps” obligation in place. Further, the Albrecht Report does not effectively limit the scope of data covered by Article 17, leaving the critical flaw that would give a user the right to order the takedown of information beyond what she herself has posted. As a result, the obligations placed upon data controllers would remain insurmountably high, with undoubtedly negative consequences for users’ online expression.

In our paper, we propose additional amendments to the DPR intended to bring Article 17 into a better balance between users’ privacy and free expression rights, and to clarify the obligations upon controllers. Article 17 would only apply to personal data that an individual has previously chosen to store remotely or host on a controller’s site. Controllers and processors would only be required to contact entities with whom they had a direct contractual relationship, to ensure removal of a user’s data. Finally, Article 80 would be amended to state definitively that no provisions of the DPR could supersede or limit free expression rights granted by Article 10 of the European Convention on Human Rights. We hope that these amendments and our analysis of the DPR will continue to provide European legislators with useful ideas for how to ensure the protection of user privacy while respecting users’ free expression rights in accordance with international human rights law. CDT looks forward to remaining involved in the continued debate regarding the adoption of the DPR as it proceeds over the coming months.